Complexity Information Flow in a 
Multi-threaded Imperative Language 

Jean- Yves Marion and Romain Pechoux 

Universite de Lorraine, CNRS and INRIA 
LORIA 
£N| j ean-yves . marionOloria . f r , romain . pechoux@loria . f r 

o 

j Abstract. We propose a type system to analyze the time consumed 

j^ by multi-threaded imperative programs with a shared global memory, 

which delineates a class of safe multi-threaded programs. We demon- 
^H strate that a safe multi-threaded program runs in polynomial time if (i) 

f****) it is strongly terminating wrt a non-deterministic scheduling policy or 

(T"j (ii) it terminates wrt a deterministic and quiet scheduling policy. As a 

consequence, we also characterize the set of polynomial time functions. 

' r . ' The type system presented is based on the fundamental notion of data 

v*' tiering, which is central in implicit computational complexity. It regu- 

\^ lates the information flow in a computation. This aspect is interesting 

(yj in that the type system bears a resemblance to typed based informa- 

O tion flow analysis and notions of non-interference. As far as we know, 

this is the first characterization by a type system of polynomial time 
, multi-threaded programs. 
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^sO The objective of this paper is to study the notion of complexity flow analysis 

£T) introduced in [TH] in the setting of concurrency. Our model of concurrency is a 

^^ simple multi-threaded imperative programming language where threads commu- 

nicate through global shared variables. The measure of time complexity that we 
. . consider for multi-threaded programs is the processing time. That is the total 

^ time for all threads to complete their tasks. As a result, the time measure gives an 

k> upper bound on the number of scheduling rounds. The first contribution of this 

paper is a novel type system, which guarantees that each strongly terminating 
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1 Introduction 



safe multi-threaded program runs in polynomial time (See Section 3.2 and The- 
orem pi. Moreover, the runtime upper bound holds for all thread interactions. 
As a simple example, consider the two-thread program: 

x : while(X 1 == F 1 ){skip} y : while(X 1 / F 1 ){skip} 

C; C; 

X 1 :=^X 1 Y 1 ~^Y 1 

This example illustrates a simple synchronization protocol between two threads 
x and y. Commands C and C are critical sections, which are assumed not to 
modify X and Y. The operator -i denotes the boolean negation. Both threads 



are safe if commands C and C are safe with respect to the same typing environ- 
ment. Our first result states that this two-thread program runs in polynomial 
time (in the size of the initial shared variable values) if it is strongly terminating 
and safe. 

Then, we consider a class of deterministic schedulers, that we call quiet (see 
Section [8]). The class of deterministic and quiet schedulers contains all deter- 
ministic scheduling policies which depend only on threads. A typical example 
is a round-robin scheduler. The last contribution of this paper is that a safe 
multi-threaded program which is terminating wrt to a deterministic and quiet 
scheduler, runs in polynomial time. Despite the fact it is not strongly terminat- 
ing, the two-thread program below terminates under a round-robin scheduler, if 
C and C terminate. 

X : while(X 1 > 0) y : while(zT 1 > 0) 

{C; {C; 

Z 1 :=0:1}:1 X 1 -- : 1} : 1 

If commands C and C" are safe, then this two-thread program runs in polynomial 
time wrt to a round-robin scheduler. The last contribution is that if we just 
consider one-thread programs, then we characterize exactly FPtime, which is 
the class of polynomial time functions. (See Theorem [7| 

The first rational behind our type system comes from data-ramification con- 
cept of Bellantoni and Cook [5] and Leivant [TB] . The type system has two atomic 
types and 1 that we called tiers. The type system precludes that values flow 
from tier to tier 1 variables. Therefore, it prevents circular algorithmic def- 
initions, which may possibly lead to an exponential length computation. More 
precisely, explicit flow from to 1 is forbidden by requiring that the type level of 
the assigned variable is less or equal than the type level of the source expression. 
Implicit flow is prevented by requiring that (i) branches of a conditional are of 
the same type and (ii) guard and body of while loops are of tier 1. If we com- 
pare with data-ramification concept of |5|16j . tier 1 parameters correspond to 
variables on which a ramified recursion is performed whereas tier parameters 
correspond to variables on which recursion is forbidden. 

The second rational behind our type system comes from secure flow anal- 
ysis. See Sabelfeld and Myers survey (21j to have an overview on information 
flow analysis. In [23] for sequential imperative programs and in [22] for multi- 
threaded imperative programming language, Irvine, Smith and Volpano give a 
type system to certify a confidentiality policy. Types are based on security lev- 
els say H (High) and L (Low). The type system prevents that there is no leak 
of information from level H to level L, which is similar to our type system: 
(resp. 1) corresponds to H (resp. L). In fact, our approach rather coincides 
with an integrity policy [6j (i.e "no read down" rule) than with a confidentiality 
one [3]. A key property is the non-interference, which says that values of level 
L don't changed values of level H. We demonstrate a similar non-interference 
result which states that values stored in tier 1 variables are independent from 
tier variables. See Section [3] for a precise statement. From this, we demon- 
strate a temporal non-interference properties which expresses that the number 



of unfolded (i.e. the length) while loops only depends on tier 1 variables, see Sec- 
tion [5] The temporal non-interference property is the crucial point to establish 
complexity bounds. 

From a practical standpoint, an important issue is the expressivity of the 
class of safe multi-threaded programs. With this work and [TH], we introduce 
a new approach in implicit computational complexity based on a type system. 
This study focuses on the intrinsic mechanisms which lead to analyze compu- 
tational complexity. This approach seems promising because it treats common 
algorithmic control structures like while-loops as well as sequential and parallel 
composition. Several examples are presented in Appendix. 

Related works. An important source of inspiration comes from Implicit Com- 
putational Complexity (ICC). Beside the works of Bellantoni, Cook and Leivant 
already cited, there are works on light logics [1013] . on linear types [IT], and 
interpretation methods [7I19J . just to mention a few. There are also works on re- 
source control of imperative language like [12113120] . Only a few studies based on 
ICC methods are related to resource control of concurrent computational mod- 
els. In [2], a bound on the resource needed by synchronous cooperative threads 
in a functional framework is computed. The paper [JJ provides a static analysis 
for ensuring feasible reactivity in a synchronous 7r-calculus. In 17J an elementary 
afhne logic is introduced to tame the complexity of a modal call-by- value lambda 
calculus with multi-threading and side effects. There are also works on the ter- 
mination of multi-threaded imperative languages [9]. In this paper, we separate 
complexity analysis from termination analysis but the tools on termination can 
be combined with our results since most of them require strong normalization of 
the considered process as an assumption. Finally our type system in this paper 
may be seen as a simplification of the type system of [TB] for imperative language 
but in return there is no declassification mechanism. 

2 A complexity flow type system 

2.1 A multi-threaded programming language 

We introduce a multi-threaded imperative programming language similar to the 
language of [22. 8^ and which is an extension of the simple while-imperative pro- 
gramming language of 14] . A multi-threaded program consists in a finite set of 
threads where each thread is a while-program. Threads run concurrently on a 
common shared memory. A thread interacts with other threads by reading and 
writing on the shared memory. 

Commands and expressions are built from a set V of variables, and a set O 
of operators of fixed arity including constants (operators of arity 0) as follows: 

Expressions Ex, . . . , E n ::= X \ op(Ei,. . . , E n ) X e V, op e O 

Commands C, C ::= X:=E \ C ; C | skip | if E then C else C" 

I wh±le(E){C} 

A multi-threaded program M (or just program when there is no ambiguity) 
is a finite map from thread identifiers x, y, . . . to commands. We write dom(M) 



to denote the set of thread identifiers. Note also that we do not consider the 
ability of generating new threads. Let V(I) be the set of variables occurring in 
/, where I is an expression, a command or a multi-threaded program. 

2.2 Semantics 

We give a standard small step operational semantics for multi-threaded pro- 
grams. Let W be the set of words^over a finite alphabet E including two words 
tt and ff that denote true and false. The length of a word d is denoted |d|. A 
store n is a finite mapping from V to W. We write fi\X\ 4— d\, ■ . ■ , X n 4- d n ] to 
mean the store \i! where Xi is updated to di. 

The evaluation rules for expressions and commands are given in Figure [Tl 
Each operator of arity n is interpreted by a total function [op] : W" H> W. The 
judgment /j, N E —$■ d means that the expression E is evaluated to the word 
d € W wrt \x. A configuration c is either a pair of store and command, /i 1= C, or 
a store /i. The judgment fj, 1= C — > fjf expresses that C terminates and outputs 
the store // . fx \= C — » /jf \= C means that the evaluation of C is still in progress: 
the command has evolved to C and the store has been updated to //. 

For a multi-threaded program M, the store \i plays the role of a global mem- 
ory shared by all threads. The store /i is the only way for threads to communicate. 
The definition of the global relation A- is given in Figure [lj where M — x is the 
restriction of M to dom(M) — {x} and M[x := C\] is the map M where the 
command assigned to x is updated to C\. At each step, a thread x is chosen 
non-deterministically. Then, one step of x is performed and the control returns 
to the upper level. Note that the rule (Stop) halts the computation of a thread. 
In what follow, let be a notation for the (empty) multi-threaded program (i.e. 
all threads have terminated) . We will discuss of deterministic scheduling policy 
in the last section. 

A multi-threaded program M is strongly terminating, noted M-IJ-, if for any 

h k 

store, all reduction sequences starting from M are finite. Let — > be the fc-fold 

h * 

self composition and —> be the reflexive and transitive closure of the relation 
— >, h G {s,g}. The running time of a strongly terminating program M is the 
function TimtM from W n to N defined by: 

TimeM(di, ■ ■ ■ , d n ) = maxjfc | fio[Xi -s— d\, . . . , X n <— d n ] N M A /i 1= 0} 

where /j,q is the empty store that maps each variable to the empty word e € W. 
A strongly terminating multi-threaded program M is running in polynomial time 
if there is a polynomial Q such that for all d\, . . . , dn S W, Timeu{d\, ■ ■ ■ , dn) < 
<2(maxi = i.„ \di\). Observe that, in the above definition, the time consumption of 
an operator is considered as constant, which is fair if operators are supposed to 
be computable in polynomial time. 



1 Our result could be generalized to other domains such as binary trees or lists. How- 
ever we have restricted this study to words in order to lighten our presentation. 



p, 1= Ex — ► d\ ... /x N -B„ — >• dn 



ft (= Z A ^i(X) /x 1= op(E u . ..,E n )A lop}(di, ...,d n ) 
fi\= E -% d /ihCiA/ii 



/x 1= skip A /x /x t= X:=E A ju[X «— d] /x t= C\ ; C2 A /xi N C2 
/x N ft A /xi 1= Ci ^ 1= E A it;, in G {tt, f f } 



/x t= d ; Ca A /xi 1= C{ ; C 2 fi\= If E then C tt else CW A /x t= C, 

fi N £ 4 f f fi N £ 4 tt 



(X.; 



^hwhile(£){C} A ^ ii\=uhile(E){C} A ^ 1= C; while(.E){C} 

M(a) = C /x t= C A /xi M(z) = C ix 1= C A Mi 1= Ci 

(Stop) (Step) 

/xt=M4/xit=M-a; /*^M4juiN M[z := G] 

Fig. 1. Small step semantics of expressions, commands and multi-threads 

2.3 Type system 

Atomic types are elements of the boolean lattice ({0, 1}, ^, 0, V, A) where 0^1. 
We call them tiers accordingly to the data ramification principle of [15] . We use 
a, j3, . . . for tiers. A variable typing environment r is a finite mapping from V to 
{0, 1}, which assigns a single tier to each variable. An operator typing environ- 
ment A is a mapping that associates to each operator op a set of operator types 
A(op), where the operator types corresponding to an operator of arity n are of 
the shape ai — > . . . a n — > a with a,, a € {0, 1} using implicit right associativity 
of — >. We write dom(r) (resp. dom(A)) to denote the set of variables typed by r 
(resp. the set of operators typed by A). Figure [2] gives the typing discipline for 
expressions, commands and multi-threaded programs. Given a multi-threaded 
program M, a variable typing environment r and an operator typing environ- 
ment A, M is well-typed if for every x € dom(M), r, A\- M(x) : a for some tier 
a. 

Notice that the subject reduction property is not valid, because we don't 
explicitly have any subtyping rule. However, a weak subject reduction property 
holds: If ix N C 4 // N C" then r, A h C : fi where /S ■< a. 

3 Safe multi-threaded program 

3.1 Neutral and positive operators 

As in [TH], we define two classes of operators called neutral and positive. For 
this, let < be the sub-word relation over W, which is defined by v < w, iff there 
are u and u' such that w — u.v.u' , where . is the concatenation. 
An operator op is neutral if: 



r(x) = a r,A\- x -.p r,A\- E :a 

-f3<a 



r,A\-X:a r,A\- X:=E : /3 

r,A\-E 1 :a 1 ...r,A\-E n :a n ai4...^0 n -fa£ A(op) 

r,A\- op(E 1 ,...,E n ) :a 
r, A h E : 1 r,Ah C :a r, A h C : a r,A\- C" : /? 



r,Zi hwhile(£){C} : 1 r,Z\h C ; C" :<*V/3 

r, Z\ h £ : a r,4hC:tt r,Z\hC':Q 



r,Z\hskip:a r,Zihif £ then C else C : a 

Fig. 2. Type system for expressions, commands 

1. cither |op] : W — *• {tt,ff} is a predicate; 

2. or for all di, . . . , d n e W, 3i e {I,. . . ,n}, [op](di, • • • , rf n ) < rfj. 

An operator op is positive if there is a constant c op such that: 
| [op] (di ,...,d n )\ < max | dj| + c op 

i 

A neutral operator is always a positive operator but the converse is not true. 
In the remainder, we assume that operators are all neutral or positive. 

3.2 Safe environments and safe multi-threaded programs 

An operator typing environment A is safe if for each op € dom(A) of arity n 
and for each a.\ —¥...—¥ a n — > a G A{op) 1 we have a ■< Aj = i in aj, and if the 
operator op is positive but not neutral, then a = 0. 

Now, given r a variable typing environment and A a operator typing envi- 
ronment, we say that M is a safe multi-threaded program, if M is well-typed wrt 
r and A and A is safe. 

Intuitively, a tier argument is unsafe. This means that it cannot be used as 
a loop guard. So for "loop-safety" reasons, if an operator has a tier argument 
then the result is necessarily of tier 0. In return, a positive operator can increase 
the size of its arguments. On the other hand, a neutral operator does not increase 
the size of its arguments. So, we can apply it safely everywhere. The combination 
of the type system, which guarantees some safety properties on the information 
flow, and of operator specificities provides time bounds. 

Example 1. Given a word d, the operator eq d tests whether or not its agument 
begins with the prefix d and pred computes the predecessor. 

NJW = { =tt ' liU = dW Ipredl(u) = 1= 6 ' liU = e 

= f f otherwise I = w if u = Lw, £ e S 



Both operators are neutral. This means that their types satisfy A(pred), A(eq u ) C 
{0 — > 0, 1 > 1, 1 > 0} wrt to a safe environment A The operator sued adds a 
prefix d. It is positive, but not neutral. So, Z\(s«Crf) C {1 > 0, — >• 0}: 

(Positive) [suc<j](6) = d.b d G 27 



4 Sequential and concurrent non-interferences 

In this section, we demonstrate that classical non-interference results are ob- 
tained through the use of the considered type system. For that purpose, we 
introduce some intermediate lemmata. The confinement Lemma expresses the 
fact that no tier 1 variables are modified by a command of tier 0. 

Lemma 1 (Confinement). Let r be a variable typing environment and A be 
a safe operator typing environment. If T, A h C : 0, then every variable assigned 
to in C is of type 0, and C does not contain while loops. 

Proof. By induction on the structure of C . □ 

The following lemma, called simple security, says that only variables at level 
1 will have their content read in order to evaluate an expression E of type 1. 

Lemma 2 (Simple security). Let r be a variable typing environment and A 
be a safe operator typing environment. If r, A \- E : 1, then for every X £ V(E), 
we have T(X) = 1. Moreover, all operators in E are neutral. 

Proof. By induction on E, and using the fact that E is necessarily only composed 
of operators of type 1 — ¥ . . . — > 1 — ¥ 1, because the environment is safe. □ 

Definition 1. Let r be a variable typing environment and A be an operator 
typing environment. 

— The equivalence relation ~r.zi on stores is defined as follows: 

H ~r.A o~ iff for every X G dom(r) s.t. r(X) = 1 we have fi(X) = <j(X) 

— The relation ~r,A is extended to commands as follows: 

1. IfC= C then C K r ,A C 

2. If r, Ah- C : and T, Ah C : then C ^ r .A C 

3. If C ^ r , A C and D K r ^ A D' then C; D Ks r ' >A C"; D' 

— Finally, it is extended to configurations as follows: 
If C ~r,A C and p, ~r.A °~ then /i h C ~r.A o~ \= C 

Remark 1. A consequence of Lemma [2| is that if p ~r.A o~ and if r, A \- E : 1, 
then computations of E are identical under the stores /i and a , that is p, 1= E — ¥ d 
and a \= E A- d. 

We now establish a sequential non-interference Theorem which states that if 
X is variable of tier 1 then the value stored in X is independent from variables 
of tier 0. 
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Theorem 1 (Sequential non-interference). Assume that T is a variable typ- 
ing environment and A is a safe operator typing environment s.t. T, A h C : a 
and T, AY- D : a. Assume also that fi\= C ~r,A & \= D. Then, we have: 

— if [i \= C — > fi' 1= C then there exists a' and D' such that a 1= D — > a' \= D' 
and fi' \= C ^ r ,A u' \= D' , 

— if fi\= C — > // then there exists a' such that a 1= D — > a' and // ~r,A o~' 

Proof. First suppose that a — 0. Confinement Lemma fll implies that // ~r,A °~' 
since no tier 1 variable is changed. Second suppose that a = 1. We proceed by 
induction on C. Suppose that C is while(£'){Ci} and the evaluation under /z 
is: 



rww 



^Nwhile(S){Ci} 4 //N Ci;while( J B){Ci} 

By Remarkfll the evaluation of E under a is necessarily tt. Since C is an atomic 
command, C ~r,A D implies C = D. As a result, a N while(i?){Ci} — > cr 1= 
Ci; -while (E){Ci}. We have /u' ~r,A cr' because /u = p! and a = a'. We conclude 
that both configurations are equivalent, that is \J 1= C ~r,A a' \= D'. The other 
cases are treated similarly. □ 

Sequential non-interference can be adapted to multi-threaded programs. For 
that purpose, we extend the equivalence ~r.A to multi-threaded programs by: 

- If V* e dom(M) = dom(M'), M(x) & r ,A M'{x) then M & r ,A M' 

- If M ^r,A M' and \x ^r,A o then /u, \= M & r ,A cr t= M' 

Theorem 2 (Concurrent Non-interference). Assume that r is a variable 
typing environment, that A is a safe operator typing environment such that M is 

well-typed. Assume also that \i 1= M.\ ~r.A cr ^ M.%. Then, if /x t= M\ — > fjf 1= M[ 

9 * 
then there are cr' and M' 2 s.t. a \= Mi — \ cr' \= M' 2 and // N M\ ~r.A cr ^ Mi- 
Proof. Consequence of Theorem [T] □ 



5 Sequential and concurrent temporal non-interferences 

Now we establish a property named temporal non-interference. This property 
ensures that the length of while-loops does not depend on variables of tier 0, 
and depends only on tier 1 variables. Consequently, a change in the value of a 
variable of tier does not affect loop lengths. 

For this, we define a loop length measure in Figure [3] based on the small 
step semantics of Figure |l| c No C 4 a' \= t C holds if t is the number of 
while-loops, which are unfolded to reach cr' 1= C from a \= C, that is t is the 
number of applications of the rule (TW tt ) in a computation. It is convenient to 
define the relation => t by a N C => 4 a' 1= C iff cr \= C A cr' \= t C . 



fj. \= E A d n \= t C\ 4 pi 

fj, \= t X:=E A fi[X <- d] fi\= t skip A fi u \= t d ; C 2 A m \= t C 2 

(j, \= t G\ A /ii i= t ' C{ fi \= E A w, w e {tt, f f } 



p \=t C\ ; C2 — ¥ Hi \= t > C x ; C2 /i l=< if J5 then C tt else Cm — >• /1 t=t C, 

^N£4ff (i N fi 4 tt 



^h t while(£){C} A /u ^h t while(£){C} A (j, \= t+1 C; while(£){C*} 
M(x) = C p No C A // M(a;) = C /i K C* A p h t , C" 



CTWtt; 



/x t=t M 4 // l= t M - x H \=t M A p \= t , M[x ■- C'\ 

Fig. 3. Loop length measure for commands and multi-thread programs 

Remark 2. If T, A h C : and a \= C A* cr' \= C then a \= C =^ &' N C" since 
there is no while loop inside C, by Lemma[l] Moreover, if a 1= G =4-4 <t' 1= C", then 
for every fc < t there are cr" and C" such that cr 1= C =>k cr" \= C" =>t-k &' 1= C. 

Theorem 3 (Temporal non-interference). Assume that T is a variable typ- 
ing environment and A is a safe operator typing environment s.t. T, A h C : a 
and r, A\- D : a. Assume also that p\= C ~r,A cr \= D. Then, if p\= C =>t p! 1= 
C then there are cr' and D' s.t. a N D =$> t cr' 1= D' and p! \= C &r,A a' \= D' . 

Proof. The proof goes by induction on t. Suppose that t = 0. This means that 
no rule (TWtt) has been fired. The conclusion is a consequence of sequential 
non-interference Theorem [U 

Next, suppose that p N C =>t+i p' 1= C". This means that a rule (TWtt) 
has been applied. So suppose that C = while(i?){Ci} and that p \= E — > tt. 
First, p ~r,A o~ and Lemma 2 imply that a 1= E — >• tt. Second, since C ~_r jZ i D, 
we have C = D, by definition of Wf^, Since C" = Ci; C, we have D' = C\\ C . 
Thus, C" ~r,A D' and a \= D =>t+i cr' 1= D' hold. Moreover, we have /J,' = /J, and 
cr' = cr, which implies that p! ~r,A cr' . We conclude that p' N C ~r,zi cr' 1= D'. 
The other cases are similar. □ 

We extend the relation =$> t as follows: p N M =$> t fjf \= M' if and only if 
g * 
/i l=o M A /i' t=( M . As a corollary, we obtain a temporal non-interference 

result for multi-threaded programs. 

Theorem 4 (Concurrent temporal non-interference). Assume r is a vari- 
able typing environment and A is a safe operator typing environment s. t. M and 
N are well typed. Assume that /j,\= M ~r,A o~ N N . Then, if jj,\= M =>t p! 1= M' 
then there are a 1 and N' s.t. a \= N => t a' \= N' and fjf \= AT fa r .A cr' \= N' . 

Proof. Consequence of Theorem [3| □ 
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6 Multi threaded program running time 

An important point is that the number of tier 1 configurations in a computation 
is polynomially bounded in the size of tier 1 initial values. 

Lemma 3. Let M be a safe multi-threaded program wrt environments T and A. 
If ix \= M => t fi' 1= M' then VX e V(M) such that T(X) = 1 either (j,'(X) € 
{tt,ff} or3Y e V(M) such that T{Y) = 1 and n'(X) <n(Y). 

Proof. Take one global computational step fj, N M — >• // N M'. Let X be a 
variable assigned to in M(x), for some thread identifier x, such that r(X) = 1. 
X can only be assigned to an expression E of tier 1. By simple security lemma[2j 
E only contains neutral operators. It means that either f/(X) is a truth value 
(corresponding to the computation of a predicate) or a subterm of a value of a 
tier 1 variable. □ 

In the case where a multi-threaded program strongly terminates (i.e. M JJ-), 
we now establish that for all thread interactions, the maximal length of while- 
loops is polynomially bounded in the size of tier 1 values of the initial store. 
This is a consequence of the temporal non-interference property. For this, define 
II -||i by ||/i||i =max r(x)=1 \n(X)\. 

Theorem 5. Let M be a safe multi-threaded program such that M JJ,. There is a 
polynomial T such that for all stores [i, if ii\= M ^> t I 1 ' ^ M 1 then t < T(||/x||i). 

Proof. By Theorem |4j the length of while-loops depends only on variables of tier 
1. It implies that if we enter twice into a configuration with the same thread, say 
x, and the same values of tier 1, we know that M is non-terminating. Indeed, 
it is possible to repeat the same transition again up to infinity by always firing 
the same sequence of global transitions. This contradicts the fact that M JJ.. 
Consequently, we never enter twice in the same thread configuration. Since the 
number of sub- words of a word of size n is bounded by n 2 , Lemma pumpies the 
number of distinct stores a reachable from \i is bounded polynomially by ||//||i. 
It follows the number of configurations is polynomially bounded. Consequently 
there exists a polynomial T such that the length of each terminating multi- 
threaded computation starting from /i is bounded by T(||/i||i). Finally, we have 
that t< T(||^||i). □ 

We can now state our first main result: 

Theorem 6. Assume that M is a safe multi-threaded program. Moreover sup- 
pose that M strongly terminates. There is a polynomial Q such that: 

Vrfi, . . . , d n e W, Time M (d u . . . , d n ) < Q(max(|rfj|)) 

i— l,n 

Proof. Suppose that ^o[-^i ^ d\,...,X n <— d n ] N M => t \i' 1= 0. The overall 
computational time is bounded by Timeu (rfij ■ ■ ■ ,dn) < r.t+r, for some constant 
r which depends on the size of M. (Note that commands of tier are computable 
in constant size.) We conclude by Theorempjland by setting Q(X) — r.T(X)+r. 

a 
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7 A characterization of polynomial time functions 

We now come to a characterization of the set of functions computable in poly- 
nomial time. A sequential program M consists in a single thread program (i.e. 
dom(M) = {x}) and an output variable, say Y. The partial function [M] com- 
puted by M is then defined by: 
[M](di, ...,d„)=wm fj, [Xi <-di,...,X n 4- d n ] \= M 4* \x 1= and /i(Y) = w 

Theorem 7. The set of functions computed by strongly terminating and safe se- 
quential programs whose operators compute polynomial time functions is exactly 
FPtime ; which is the set of polynomial time computable functions. 

Proof. The polynomial runtime upper bound is a consequence of TheoremIS] The 
converse is a straightforward simulation of polynomial time Turing machines. 
The proof is postponed in Appendix. 

8 Deterministic scheduling 

Actually, we can extend our results to a class of deterministic schedulers. Till 
now, we have considered a non-deterministic scheduling policy but in return we 
require that multi-threaded programs strongly terminate. Define \x J, 1 as the 
restriction of the store /i to tier 1 variables. Say that a deterministic scheduler 
S is quiet if the scheduling policy depends only on the current multi-threaded 
program M and on jj,\. 1. For example, a deterministic scheduler whose policy 
just depends on running threads, is quiet. Notice that a ~r.A o~' iff c^l = cr'J, 1. 
Next, we replace the non-deterministic global transition of Figure [T] by: 

S{M,n\l) = x /iNM(i)4/i' S(M,n±l) = x ix\= M(x) 4 // > C 
H\=M 4 p! \= M -x fj,\=M 4 fj,' \= M[x := C] 

Theorem 8. Let M be a safe multi-threaded program s.t. M is terminating wrt 
a deterministic and quiet scheduler S . There is a polynomial Q such that: 

Vrfi, . . . , d n e W, Time M (di, ■ ■ ■ , d n ) < Q(m&x(\di\)) 

i— l,n 

Proof The proof follows the outline of proofs of theorems [5] and [6] Let \i be 
the initial store, i.e. /x(JQ) = d t for i = l,n and /u(X^) = e for i > n. Since 
the computation of /z 1= M terminates wrt S, the temporal non-interference 
theorem [3] implies that a loop can not reach the configurations a N N and a' \= N 
where their restrictions to tier 1 values are identical. That is a\.l = a' \.\. Now, 
define Config = {(a I 1, N) \ (j, N M 4* a 1= N}. The total length of loops 
is bounded by the cardinality of Config. Following lemma [31 the cardinality of 
Config is bounded by a polynomial in ||/i||i. As a result, the runtime of /1 1= M 
is bounded bounded by Q(max, = i in (|rfj|)) for some polynomial Q. 
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A Appendix 

A.l Proofs 

Characterization of polynomial time functions 

Theorem 7. The set of functions computed by strongly terminating and safe se- 
quential programs whose operators compute polynomial time functions is exactly 
FPtimc, which is the set of polynomial time computable functions. 

Proof. By Theorem [61 the execution time of a safe and strongly terminating 
sequential program is bounded by a polynomial in the size of the initial values. 
In the other direction, we show that every polynomial time function over the 
set of words W can be computed by a safe and terminating program. Consider 
a Turing Machine TM, with one tape and one head, which computes within 
n k steps for some constant k and where n is the input size. The tape of TM 
is represented by two variables Left and Right which contain respectively the 
reversed left side of the tape and the right side of the tape. States are encoded by 
constant words and the current state is stored in the variable State. We assign 
to each of these three variables that hold a configuration of TM the tier 0. A 
one step transition is simulated by a finite cascade of if-commands of the form: 

if eq a (Right ) 
then 

if eq s (State ) 
then 

State — s' ;: 
Left°:=suc 6 (Left );: 
Right — pred (Right ) : 
else . . . : 

The above command expresses that if the current read letter is a and the state 
is s, then the next state is s', the head moves to the right and the read letter 
is replaced by b. Since each variable inside the above command is of type 0, the 
type of the if-command is also 0. Moreover, since sucb is a positive operator, its 
type is forced to be — > 0. eq a , eq s and pred being neutral operators, they can 
also be typed by — >• 0. 

Finally, it just remains to show that every polynomial can be simulated by a 
safe program of tier 1. We have already provided the programs for addition and 
multiplication in Example[2]and we let the reader check that it can be generalized 
to any polynomial. □ 

A. 2 Examples 

In what follows, let E a , respectively C : a, be a notation meaning that the 
expression E, respectively command C, is of type a under the considered typing 
environments. 
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Example 2. Consider the sequential programs addy and mulz that compute 
respectively addition and multiplication on unary words using the positive suc- 
cessor operator +1, in infix notation, and two neutral operators, —1 and a unary 
predicate > 0, both in infix notation. Both programs are safe by checking that 
their main commands are well-typed wrt the safe operator typing environment 
A defined by A(+l) = {0^0} and A(-l) = A(> 0) = {1 ->• 1}. 

addy : mulz '■ 

while(JC 1 > 0) 1 ! Z°:=0°;:0 

X 1 ~X 1 -1;:1 while (X 1 > 0) x { 

Y°:=Y° + 1:0 X 1 :=X 1 - 1;: 1 

}:1 t/ 1 :=y 1 ;:l 

while(y 1 >0) 1 { 
Y 1 -- Y 1 -1;: 1 
Z°: = Z° + 1 : 

Y 1 -- U 1 : 1 
}:1 

Example 3. Consider the following multi-thread M composed of two threads x 
and y computing on unary numbers: 

x : y: 

while (X 1 >0) 1 { while (Y 1 >0) 1 { 

Z°:=Z° + 1;:0 Z° = 0; : 

X 1 :=X 1 -1;:1 F 1 :=y 1 -l;:l 

}:1 }:1 

This program is strongly terminating. Moreover, given a store fi such that 

fj,(X) = n and fj,(Z) = 0, if /x N M 4 /x' N then ix'(^) G [0, n]. M is safe using 
an operator typing environment A such that A(— 1) = Z\(> 0) = {1 — > 1} and 
Z\(+l) = {0 — > 0} and M 4J-- Consequently, by Theorem [51 there is a polynomial 
T such that for each store /U, k < T(||/x||i). 

Example 4- Consider the following multi-thread M that shuffles two strings 
given as inputs: 

while (^eg^X 1 )) 1 ! while he 9(i ( Y 1 )) 1 ! 

Z°— concat{head{X x ), Z°); : Z° ~concat(head( Y 1 ), Z°); : 

X 1 :=pred(JSC 1 ):: 1 F 1 — pred( Y 1 ); : 1 

}:1 }:1 

The negation operator -i and eq e are unary predicates and consequently can be 
typed by 1 — > 1. The operator head returns the first symbol of a string given as 
input and can be typed by 1 — > since it is neutral. The pred operator can typed 
by 1 — i 1 since its computation is a subterm of the input. Finally, the concat op- 
erator that performs the concatenation of the symbol given as first argument with 
the second argument can be typed by — >• — >• since | [concat] (u, v)\ = \v\ + 1. 
This program is safe and strongly terminating consequently it also terminates 
in polynomial time. 
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Example 5. Consider the following multi-thread M: 

while (X 1 >0) 1 { while {Y 1 >0) 1 { 

Y 1 ~X 1 ;:1 Z°: = Z° + 1;:0 

X 1 ~X 1 -1;: 1 Y 1 :=Y 1 -1;:1 

}:1 }:1 

Observe that, contrarily to previous examples, the guard of y depends on in- 
formation flowing from X to Y. Given a store // such that /J,(X) — n, /u(F) = 

\i{Z) = 0, if n N M 4 n' 1= then //(Z) G [0,n x (n + l)/2]. This multi- 
thread is safe with respect to a safe typing operator environment A such that 
Z\(-l) = A(> 0) = {1 -^ 1} and A(+l) = {0 ->• 0}. Moreover it strongly 
terminates. Consequently, it also terminates in polynomial time. 

Example 6. The following program computes the exponential: 



expriX 1 , Y°) : 








while(X 1 > i 


0){ 






£/ ? :=Y°: 


; : ? 






while([/' 


? 
> 


o){ 




y° : = 


= y° 


+ 1; 


: 


t/ ? := 


= f/ ? 


- 1 : 


? 


};:i 








x 1 -^ 1 


- i 


: 1 




};:i 









It is not typable in our formalism. Indeed, suppose that it is typable. The com- 
mand Y:= Y + 1 enforces Y to be of tier since +1 is positive. Consequently, 
the command U:=Y enforces U to be of tier because of typing discipline for 
assignments. However, the innermost while loop enforces U > to be of tier 1, 
so that U has to be of tier 1 (because — > 1 is not permitted for a safe operator 
typing environment) and we obtain a contradiction. 

Example 7. As another counter-example, consider now the addition badd on bi- 
nary words: 

baddy : 

while(X ? > 0)'-{ 
X':=X- -1;: ? 
F :=F° + 1 : 
}:1 

Contrarily to Example [2] the above program is not typable because the operator 

— 1 has now type A(— 1) = {0 — > 0}. Indeed it cannot be neutral since binary 
predecessor is not a subterm operator. Consequently, —1 is positive and the 
assignment X:=X — 1 enforces X to be of type whereas the loop guard enforces 
X to be of tier 1. Note that this counter-example is not that surprising in the 
sense that a binary word of size n may lead to a loop of length 2™ using the 

— 1 operator. Of course this does not imply that the considered typing discipline 
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rejects computations on binary words, it only means that this type system rejects 
exponential time programs. Consequently "natural" binary addition algorithms 
are captured as illustrated by the following program that computes the binary 
addition on reversed binary words of equal size: 



binary _add; 

while(— 

R :. 

C 1 : 

Z :- 


=resw/t(6#(X 1 ),6ii(y 

=carrj/(6it(X 1 ),bit(y ] 
=concat(R° , Z°); : 


l ),bit(C 
l ),bit(C' 


l )); 
■));: 


: 
: 1 


}■■ 


X 1 : 

Y 1 : 
1 


=pred(X 1 );: 1 
=pred(Y 1 ); : 1 









As usual, pred is typed by 1 — > 1. The negation operator -i and eq e are predicates 
and, consequently, can be typed by 1 — > 1, since they are neutral. The operator 
bit returns tt or f f depending on whether the word given as input has first digit 
1 or 0, respectively. Consequently, it can be typed by 1 — >• 1. The operators carry 
and result, that compute the carry and the result of bit addition, can be typed by 
1 > 1 > 1 > 1 since they are neutral. Finally, the operator concat(x, y) defined 
by if [bit] (a;) = i, i € {0, 1} then \concat\(x,y) — i.y is typed by — >• — >• 0. 
Indeed it is a positive operator since |[concat](a;,y)| = \y\ + 1. 



